Feature #1337
open
VLANs with different MAC address than parent interface
0%
Description
In FreeBSD it is possible to host an vlan(4) with a different mac address from the parent.
This needs the parent interface in promiscuous mode, which at present days is not much of a issue.
Linked report here http://forum.pfsense.org/index.php/topic,34094.0.html.
Possibly an option should be given to people activate this issue.
Updated by Chris Buechler over 6 years ago
- Subject changed from Vlan with different mac address than parent interface to VLANs with different MAC address than parent interface
Updated by Renato Botelho over 4 years ago
- Status changed from New to 13
- Assignee set to Renato Botelho
- Target version set to 2.4.4
Updated by Anonymous over 4 years ago
- Status changed from Feedback to 13
James Dekker [6:49 PM]
With SG-5100 and XG-2758 on `2.4.4.a.20180824.1144` (which isn't the latest build, but should include whatever the fix was on `1337`) .. added a VLAN, assigned it as an interface with a static IP on both appliances, enabled the parent interface (no IP set, just enabled so the VLANs could use the interfaces) ... added a allow any rule on the VLAN interface on both pfSense. From either pfSense, I could ping the other. Then on one, I spoofed the VLAN interface mac as `DE:AD:BE:EF:CA:FE`, went to ping and now it fails. Remove the spoofed MAC, pings succeed again.
I his a valid test?
Updated by Renato Botelho over 4 years ago
- Status changed from 13 to In Progress
Updated by Renato Botelho over 4 years ago
- Status changed from In Progress to Assigned
- Target version changed from 2.4.4 to 48
Updated by Jim Pingle almost 4 years ago
- Target version changed from 48 to 2.5.0
Updated by Wik Joh over 2 years ago
It's possible to do this by editing /etc/inc/interfaces.inc and adding the lines below, but it would be nice if it could be done through the UI.
mwexec("/sbin/ifconfig igb0 promisc");
mwexec("/sbin/ifconfig igb0.10 promisc");
mwexec("/sbin/ifconfig igb0.10 ether 00:aa:bb:cc:dd:ee");
Updated by Luiz Souza over 2 years ago
I'm not sure that setting the interface in promiscuous mode is the right thing to do here. There will be performance issues (no more HW filtering).
Please advance with caution.
Updated by Renato Botelho over 2 years ago
- Target version changed from 2.5.0 to Future
Setting the interface in promiscuous mode is not the way to go and without it FreeBSD don't offer a way to make it to work. At least not today. Moving it to Future and we can target it to a version when we have a proper way of doing that
Updated by Flole Systems 5 months ago
Using promiscuous mode might be desirable for some users. If Snort is used for example it puts the interfaces in promiscous mode anyways, so it doesn't really matter if that is needed for this feature.
Anyways, apparently there was a bug in FreeBSD which sounds related and is resolved now: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=236983
I suggest to add a checkbox to enable promiscous mode on the parent interface aswell so in case it's necessary that option can be set. A simple hint to try the promiscous mode checkbox if it doesn't work could appear for VLANs aswell.